--On Friday, August 6, 2021 3:11 PM +0100 Howard Chu <hyc(a)symas.com> wrote:
Planning to post this to -announce soon, any comments?
Just a reminder to everyone: the Project has a long-standing policy of
doing active development on only one release version at a time. To
allow time for migrations we provide some overlap from one release
version to the next. E.g., while 2.5 is active we will still provide
critical bugfixes for 2.4. Since 2.4 has been around for something
like 14 years now people may have forgotten this policy.
This is a heads up that with 2.6 due for release in September, all
updates to 2.4 will cease at that time. Likewise, when 2.7 is released
next year all updates to 2.5 will cease.
Also for clarity: We consider "Critical" bugs to include security
flaws resulting in unauthorized data disclosure, or unauthorized
remote code execution. We do not consider assert() failures or crashes
resulting only in Denial of Service as security flaws.
That's fine as a general statement, but what we need is an explicit
*documented* policy. Likely under "Release Documents" here:
Also, I'd like to see explicit terms here. I.e., 2.4 is now in
maintenance, which means only critical fixes are applied. 2.5 is active,
which means it has an active release schedule and is open for general bug
fixes. 2.6 is in development which means that is where all new feature
development and distruptive changes are occurring.
As a part of that explicit policy and terminology, we need to provide some
sort of time table on when a release moves from active to maintenance.
Clearly it would not have been fair to move 2.4 to maintenance the moment
2.5 released (for example we've done one non-security based release of 2.4
since 2.5 came out). At this point, I think it's fair for 2.4 to be in
maintenance and 2.5 to be the sole active release, however it would
generally be unfair to mark 2.5 maintenance the moment 2.6 releases.
Packaged, certified, and supported LDAP solutions powered by OpenLDAP: